Industry already responds to the vast majority of cyber security incidents, with the support of Government agencies where necessary. However the community expects that, as a last resort and subject to appropriate limitations, Government will be able to provide assistance immediately prior, during or following a significant cyber security incident to ensure the continued provision of essential services.
Why do we need Government Assistance?
As the cyber threat environment worsens and malicious actors become increasingly more sophisticated, the resources and capability of industry to respond is being challenged. Consultation on these reforms has revealed that the public expects the Australian Government will protect the nation if a cyber incident affects Australia’s critical infrastructure and results in a risk of serious prejudice to Australia’s national interests.
Noting the importance of the services being provided by these assets, emergency circumstances may arise which require Government’s assistance. In such circumstances, it is crucial that the Government has
last resort powers to respond to the incident and mitigate its impact.
How would Government Assistance work?
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 will introduce a regime which would allow the Minister for Home Affairs to authorise the Secretary of Home Affairs to exercise one of the following powers in response to following circumstances:
- a cyber security incident is, has or will imminently impact a critical infrastructure asset, and
- there is a material risk that the incident has, is, or will seriously prejudice Australia’s social or economic stability, defence or national security, and
- there are no other regulatory systems to practically and effective respond to the incident.
Information gathering directions
The Minister for Home Affairs may authorise the Secretary of Home Affairs to give a direction to the entity to provide specific information regarding a cyber security incident which is believed to be needed to determine whether the powers should be exercised. An effective and appropriate response to a serious cyber security incident requires a strong understanding of the nature and extent of the incident, including the asset’s maturity, its vulnerabilities and its interdependencies. This information will inform decisions on the need for any further Ministerial authorisations.
The Minister for Home Affairs may authorise the Secretary of Home Affairs to direct the entity to do an authorised act or thing to respond to an incident. Prior to doing so, the Minister for Home Affairs must consult the entity and be satisfied that the entity is unwilling or unable to take all reasonable steps to respond to the incident, and that the direction is reasonably necessary, proportionate and technically feasible. Any entity will be provide civil immunities for any actions taken in compliance with a direction.
The Minister for Home Affairs may authorise the Secretary of Home Affairs requesting the authorised agency do a specified act or thing. Prior to doing so, the Minister for Home Affairs must obtain the agreement of the Prime Minister and the Minister for Defence, consult the entity, and be satisfied that an action direction would not be practical or effective, the entity is unwilling or unable to take all reasonable steps to respond to the incident, and that the request is reasonably necessary, proportionate and technically feasible. This form of Ministerial authorisation is of absolute last resort, may only relate to computer-related activities and any actions taken in response to a request will be subject to oversight by the Inspector-General of Intelligence and Security.
The Minister for Home Affairs will be required to present an annual report to Parliament which includes statistical information on the use of these powers, to ensure transparency and accountability to Parliament and the Australian public.
Government Assistance in practice
The below diagram outlines the processes, responsibilities, and safeguards that govern the exercise of the Government Assistance measures.
Critical Infrastructure - Government Assistance in practice diagram.